Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 605894 (CVE-2017-0381)

Summary: <media-libs/opus-{1.1.3-r1,1.2_alpha}: Memory corruption during media file and data processing (CVE-2017-0381)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: sound
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa cve]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2017-01-16 14:04:47 UTC
From ${URL} :

A remote code execution vulnerability in silk/NLSF_stabilize.c in libopus could enable an attacker using a specially crafted file to cause memory 
corruption during media file and data processing.

Upstream patch:


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 David Seifert gentoo-dev 2017-01-20 18:57:41 UTC
@sec, you can proceed with stabilising opus-1.1.3-r1

commit fedc905f2f73265c4108e2a4b359846d10dee66d
Author: David Seifert <>
Date:   Fri Jan 20 19:53:40 2017 +0100

    media-libs/opus: Add patch for CVE-2017-0381
    Gentoo-bug: 605894
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-20 19:01:13 UTC
@ Arches,

please test and mark stable: =media-libs/opus-1.1.3-r1
Comment 3 Tobias Klausmann (RETIRED) gentoo-dev 2017-01-21 11:44:12 UTC
Stable on alpha.
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-21 14:10:44 UTC
Stable for HPPA PPC64.
Comment 5 Agostino Sarubbo gentoo-dev 2017-01-21 17:17:02 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-01-21 17:27:49 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-01-21 20:34:43 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2017-01-22 16:30:39 UTC
sparc stable
Comment 9 Agostino Sarubbo gentoo-dev 2017-01-23 16:28:52 UTC
ia64 stable
Comment 10 Markus Meier gentoo-dev 2017-02-15 18:18:37 UTC
arm stable, all arches done.
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-16 12:11:14 UTC
New GLSA request filed.

@ Maintainer(s): Please cleanup and drop <media-libs/opus-1.1.3-r1!
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2017-02-20 23:58:34 UTC
This issue was resolved and addressed in
 GLSA 201702-21 at
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 13 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-20 23:59:27 UTC
Re-opening for cleanup.

@ Maintainer(s): Please cleanup and drop <media-libs/opus-1.1.3-r1!
Comment 14 Aaron Bauman (RETIRED) gentoo-dev 2017-07-16 01:23:42 UTC
tree is clean.